IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Fri, 08 April 2022 05:05 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 461813A1DC6 for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2022 22:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8SliSC7FzU6 for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2022 22:05:01 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id 8C1D03A1DC3 for <dnsop@ietf.org>; Thu, 7 Apr 2022 22:05:00 -0700 (PDT)
Received: (qmail 62150 invoked from network); 8 Apr 2022 05:00:52 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 8 Apr 2022 05:00:52 -0000
Message-ID: <0c7478e8-d522-a174-4af4-aa0abffc93f4@necom830.hpcl.titech.ac.jp>
Date: Fri, 08 Apr 2022 14:04:57 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: Bjørn Mork <bjorn@mork.no>, "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <57f1c37b-497c-e1a0-329c-4b9c8b7e197b@necom830.hpcl.titech.ac.jp> <A9F689C9-4ABF-4947-AA6B-56E2F0C17D13@nohats.ca> <9732682e-78e7-f6bf-84fc-685de22d5e12@necom830.hpcl.titech.ac.jp> <350d8ab8-0477-b656-8b08-56f7561a7fda@necom830.hpcl.titech.ac.jp> <860d0d0-281e-b8c9-4169-5998a95a581f@nohats.ca> <00501a4b-0e47-e25e-2791-d0b80a416793@necom830.hpcl.titech.ac.jp> <877d80zy3v.fsf@miraculix.mork.no>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: <877d80zy3v.fsf@miraculix.mork.no>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8kAZt8uCvxMbYIpkIpAWGlJBwYI>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2022 05:05:06 -0000

Bjorn Mork wrote:

>> Are there anyone who still think, with reasons, DNSSEC were
>> cryptographically secure or had protected TLDs more securely
>> than diginotar?
> 
> Does DNSSEC make the TLD operators less trustworthy in your eyes?

Good point.

A false sense of security that DNSSEC were
cryptographically secure motivates the operators
ignore DNSSEC operation rules, which are very
complicated and hard to follow, for relatively
strong physical security, which might be what
happened in diginotar.

With proper recognition that DNSSEC is not cryptographically
secure, operators won't violate rules for physical security
of DNSSEC and, instead, stop operating DNSSEC.

						Masataka Ohta

v2.23.0 | Report a Bug | By Email